Improving DNS Privacy in Firefox

Domain Name Service (DNS) is one of the oldest parts of internet architecture, and remains one that has largely been untouched by efforts to make the web safer and more private. On the Firefox network and security teams, we’re working to change that by encrypting DNS queries and by testing a service that keeps DNS providers from collecting and sharing your browsing history.

For more than 30 years, DNS has served as a key mechanism for accessing sites and services on the web. Browsers (including Firefox) use DNS to access a distributed database that turns URLs into TCP/IP addressing information. Firefox cannot do much without the service. DNS hails from the days of a kinder, more gentle Internet where it was normal to make this kind of query using unencrypted protocols and send them to any nearby server who claimed to be able to answer it.

While sophisticated users can turn to cloud-based “open resolvers” that offer better privacy controls than what is available by default from most internet service providers (ISPs), these resolvers rely on the same old unencrypted protocols so ISPs can often intercept data anyway.

Our first effort to upgrade the privacy of DNS is to implement the DNS over HTTPS (DoH) protocol, which encrypts DNS requests and responses. See Lin Clark’s terrific explainer about how DNS over HTTPS can really improve the state of the art.

DoH support has been added to Firefox 62 to improve the way Firefox interacts with DNS. DoH uses encrypted networking to obtain DNS information from a server that is configured within Firefox. This means that DNS requests sent to the DoH cloud server are encrypted while old style DNS requests are not protected. DoH standardization is currently a work in progress and we hope that soon many DNS servers will secure their communications with it.

Firefox does not yet use DoH by default. See the end of this post for instructions on how you can configure Nightly to use (or not use) any DoH server.

Our second effort focuses on building a default configuration for DoH servers that puts privacy first.

We are running a shield study where some Nightly users will participate in one or more experiments to help us build out a secure, cloud-based service that handles DoH requests. All Nightly users will receive an in-product notification about these studies.

Cloudflare is our partner for these experiments. When a shield study is active, Nightly Firefox will automatically use Cloudflare’s secure DNS over HTTPS service (though we aren’t using the famous 1.1.1.1 address). The first study will test whether DoH’s performance is up to the task.

We’ve chosen Cloudflare because they agreed to a very strong privacy agreement that protects your data. TCP/IP requires sharing the name of a website with a third party in order to connect, regardless of whether you’re using DoH or traditional DNS. We want to be confident your DNS operates with strong privacy preserving terms like those we have established with Cloudflare.

We believe that negotiating a privacy first operating agreement is something that Firefox can do for people that is just impractical to ask them to do for themselves. Imagine calling up your residential ISP and asking them to agree to an audit that demonstrates they do not log your IP address on their DNS server. And then repeating the process for your favorite coffee shop, library, friend’s house — anywhere you and your browser go to connect.

Firefox improves user privacy by default by finding good partners, establishing legal agreements that put privacy first, and eventually shipping a default configuration we believe is best.

Shield studies will come and go. If you would like to see what studies you are currently enrolled in simply load about:studies in the location bar. You can also opt out of studies on that page.

How-To Manually Configure DoH

Do you want to use (or not use) DoH all the time? Use the configuration editor to configure DoH if you want to test DoH outside of a shield study. DoH support works best in Firefox 62 or newer. Shield studies will not override your manual configuration.

1] Type about:config in the location bar

2] Search for network.trr (TRR stands for Trusted Recursive Resolver – it is the DoH Endpoint used by Firefox.)

3] Change network.trr.mode to 2 to enable DoH. This will try and use DoH but will fallback to insecure DNS under some circumstances like captive portals. (Use mode 5 to disable DoH under all circumstances.)

This truly is a terrible idea. So now Cloudflare decides what is good and what is bad? This allowes Cloudflare to monopolize DNS traffic, collect that information, and now they don’t even need an end user agreement to sell it. They’re a competitor to OpenDNS, which does sell the information.

Not only does this open a huge set of legal liability issues, especially for those organizations that have a stack of compliance to deal with, you funneled all DNS requests that might be outside of an organizations acceptable use policy to Cloudflare.

I think it’s a bad idea to centralize all of Firefox users’ DNS traffic onto one organization — no matter how strong your agreement with Cloudfare is. Decentralization is important for resilience, in particular against censorship and other policy decisions. I trust Cloudfare they get the technical redundancy right, but that’s not enough.

This is a HUGE step backwards in terms of decentralization. I think it is a mistake.

Agreed. This is complete madness, and will get shot down by everybody outside the US for good reason.

“But you can put your own dns resolver url in there”

So only 99.9% of the userbase will send their dns to a US company by default. That makes it all better. Oh look, I think every European government wants to have a word about this, while the crooks and the security services salivate at the thought of only having to pressure/hack one company to get everyone’s dns lookups.

I concede your point, but bear in mind it’s an experiment only available in Nightly at this point (and even then with no UI controlling it). Perhaps intl.accept_languages could be used as a heuristic to determine a more appropriate DoH server for the locality? Selection of the DoH server is also covered in section 4 of the draft RFC linked in the article.

I believe Mozilla’s stance on closing privacy loopholes – particularly where users have seemingly little control over, as made clear in this article – is commendable and should serve as an example to others. This is not only about the rights of the individual, but also about national and coorporate responsibility.

This is just a local proxy (including caching) which sends encrypted DNS requests to various DoH servers in the world, you can either choose on your own or let the proxy decide based on lowest latency (still you can configure the list of servers to use)

2: mode.. 0 and 5 are variants of off. 2 is soft-fail (recommend to deal with captive portals, split horizon, cloud downtime, etc..). 3 is hard-fail. 1 is “race” where DoH is raced against the OS resolver and the first one to complete wins, and 4 is “shadow” where DoH and the OS resolver are done in parallel (as with race) but the OS resolver result is always used. Race and Shadow are to help us evaluate the technology – I anticipate it to be deployed in soft-fail mode as an end state.

Now, it’d be nice if it allowed somehow to resolve specific hostnames locally or via the /etc/hosts file. Helps in testing and development. If people have to go through a tedious process every time they want to assign a specific address to a domain name, they’ll end up using chrome.

How does this work with DNS-based Content Distribution Networks (CDNs), which deliver most of the world’s internet sites?

If Cloudflare does not share the end user’s approximate network location, users will be served from locations far away from them. Then word will spread very quickly on popular blogs and media that “Sites load much faster in Chrome than in Firefox, and Chrome plays videos with much higher qualify.”

I really hope Cloudflare’s resolver is not the default choice, for Firebox’s sake (we need diversity and competition among browsers).

P.S.
Google’s 8.8.8.8 DNS Resolver supplies CDNs with your approximate location in the network, so it works fine.

How does this work in a corporate environment? How does Firefox know which queries to send over DoH and which to send to the corporate DNS servers? How do you prevent leaking internal information? Traditional DNS already leaks a lot.

I run my own NS resolver/validator at home. I prefer not to use this feature.

At present, I don’t understand why, but cannot disable it (setting 5 in network.trr blocks FF).

In the future, what happens if Mozilla, for the common good, enforce that feature ? Should I then switch to another browser ? I also understand the need to protect the uneducated user, but it does not look very good in the long run.

I like the idea of a modern encrypted DNS system, but do not like the idea of Firefox using a centralized service by default. How can you possibly ask us to trust some company called Cloudflare with essentially our entire browsing history?! Who are they, why should we care for them, who asked us if we want to use them? It doesn’t matter how good they are… to be fair I never heard anything bad about them so far: They are still a centralized service that I have no obligation in trusting or working with!

Making the URL customizable in about:config doesn’t cut it. If you’d actually place it in the preferences menu and make it selectable like the search engine, I might rethink my feelings on this a bit… as the current configuration stands however, I am strongly against the change. Feel free to implement it but do not enable this by default on us… not now and not ever, not until it’s part of a decentralized system that gives the user a choice in provider.

This is NOT being handled properly. Once again Mozilla is bungling things in a bad way which slowly alienates it’s shrinking user base… and the diehard promoters like myself as these things continue to pile up.
DO NOT make obviously objectionable policy changes like this DEFAULT especially without providing an easy way to change the setting for non-technical users. Do you think I want to promote your browser along with a list of repairs to everybody I send your way??
These things should at minimum require a user to OPT-IN to such changes. Long term you can use stats to decide the defaults; but this behavior continues to undermine the idea that mozilla is for user freedom.

Centralizing DNS requests to a single provider creates a more centralized infrastructure, which is a privacy and availability nightmare. DoH itself is a good idea, but it should be handled by the OS; not the browser.

Please add a simple config button to remove this behavior! In our environment is a own dns service which is blocking a lot of malware, tracking and ad sites. Which your solution we have to use an other browser.

while i welcome adding encryption to dns, this is NOT THE WAY TO DO IT.
if this trend is going further i soon have to shit over https or what ?
a browser is not and will never be the only instance of something that needs to resolve names. its the job of the OS and if by some magical event all those OS vendors decide this is a good idea i might have to live with that -or just do it the old way.

this idea screams government+3-letter-agencies+hackers misuse. a system were the browser may resolve a different adress than my dns is something very scary. a system that introduces a single point of “hack” is even worse. and please dont talk anymore about those privacy policies, we know how it works in real life.

this idea is imho so bad, that i am wondering if after 20 years i may should try internet explorer, it couldnt get any worse, couldnt it ?

Have the devs at Firefox ever set foot in an enterprise environment? Ever? Our enterprise, like many others, use in-house DNS servers that serve up A records not available to the outside. We have to pretty much ban Firefox because of this, and its refusal to use the Windows certificate store. Mozilla has forgotten why we switched to it from IE. They’re pandering to hipster users and refuse to even consider enterprise use.

I guess April Fool’s Day came late this year. Mozilla CAN NOT be seriously considering sending all DNS queries to one company OVER my DHCP-DNS settings and my hosts file. ( as well as those in my house, my company, etc.)

I think this is a horrible idea. Putting all DNS requests through a single company is a single point of failure and a security/privacy risk. I’m all for helping out those that have no idea what they are doing be more secure, but not at this cost. If this change is enabled by default, I’ll be switching to another browser as it is a clear indication of Mozilla’s philosophy going forward and I don’t want to have to spend my time researching special about:config tweaks to ensure my privacy/security.

Auch, this seems like a terrible idea, technical as well as business wise.
DNS resolvation should not be the responsibility of a browser but the OS’s, not even to mention overriding the default DNS resolver by default.

– First of all your feature which “enhances privacy and security” might degrade the privacy and security as it will circumvent solutions like PiHole (https://pi-hole.net/) and other defense mechanisms put in place to protect end users and networks.
– For enterprise environments enabling this feature will leak internal DNS lookups.
– You are imposing your preference (Cloudflare DNS) upon users which explicitly do not want to use this DNS resolver (either due to privacy concerns or other reasons). If you’re turning on TRR by default they will have to opt-out. Meaning that if I want to continue using your browser I would have to opt-out this setting on every device on my network. Which is not do-able.
– You are causing all this mayhem for advanced users and administrators while (a) the ‘default’ user does not even care and probably won’t even notice something different or (b) if they did, they would’ve already changed their DNS resolver on OS level.

So your “solution” will solve a problem that does not exist for the users it is intended for while causing massive headaches for the advanced users and administrators who advocate your browser.

Please reconsider this feature.

PS: I welcome the education of users on DNS resolvers and their relation to privacy and freedom. But please do so without breaking the mechanisms put in place by admins who work their asses off every day protecting those very users.

I initially thought it was a joke… I have to say that the Mozilla Foundation really deceived me with this announcement.

The Web is meant to be decentralized. It’s a fundamental principle which guarantees privacy, reliability and independance of the users. With this idea, you are doing exactly the opposite thing: jail every Firefox user into Cloudflare, and makes them dependent of this single infrastructure.

Even if the starting idea is nice (protecting the privacy and security for users), this is really a horrible idea because:
– even if it’s meant to be “private”, Cloudflare is still a enterprise, and their business model is relying (at least partially) on using and selling data of their customers ;
– a single failure or downtime from Cloudflare means that potentially all Firefox users could be affected from this (even if Cloudflare has a great reliability, it could still happen because of numerous reasons) ;
– users may want to use their own DNS servers, especially in the enterprise context.

And seriously, if people want to use their own DNS at system level, why bypassing the decision? The power does not belong to the user anymore? I feel bad for those who don’t know about this technical stuff and will be under Cloudflare system then.

I know the DNS system may be not really “safe”, but is this a reason to make decisions like that? If the system is bad, the protocol and standard should more be improved instead of just finding palliative solutions like this one.

I’m using Firefox (and spitting on Chrome/Edge) because I feel I have the control over my browser, and that my privacy is respected. But if this change makes it to release, I will probably look for an alternative to Firefox, not with a lot of sadness.
I know you Mozilla are trying to bring more users to Firefox with security and privacy promises, but please, don’t forget the principles and ideology you came from.

Are you serious? Cloudflare, which is an US company? And then you just hype this by saying “we have made a very strict privacy protection contract”? ARE YOU SERIOUS?

You know that NSA can send an NSL to ANY US COMPANY, which then not only has to give out informations and work together with the NSA, but at the same time has to DENY any sort of cooperation? Are you TRULY this naive? Cloudflare can do contracts with you as much they want! This has ZERO meaning! If the NSA gives out an NSL because of national security reasons, then you can eat your contract! Since it’s not worth the paper it’s printed on anymore!

Giving an US company, that is by default NEVER trustable because of this NSL option, a perfect and full overview over every DNS resolve and connection, is NUTS! I’m so switching my browser now and not only for myself alone, but for all my friends I know aswell!

This is completely crazy. Other have pointed it already, but how can Firefox not only completely disregard the OS settings but also redirecting our DNS queries to a private company?! Shame, we banned every other browser than Firefox at our company, we’ll have to go back on our choice it seems.

I don’t object quite as strongly as some, but I do absolutely refuse to be forced to use someone else’s infrastructure, especially someone like Cloudflare, whom I do not trust[1].

I love that Mozilla is still experimenting. I’m keen to see more and better privacy protections. But I’m getting increasingly nervous that the only browser I used to feel like I could trust is slowly becoming less trustworthy as they forge these sort of partnerships with orgs whose values are not really aligned with users.

[1] Why? None of your business. A browser-maker should not be making these choices. But does anyone else find being asked to share one’s DNS traffic with a huge, unaccountable, secretive organization that doesn’t even follow their own policies a bit… special?

This is pure insanity. If DoH servers are implemented by default, I can no longer recommend Firefox to anyone. Did you ever hear anything about data privacy? Why should we trust Cloudflare? I always liked Mozilla, but after even thinking about such a stupid change, I stop my donations to Mozilla right now.

At our company, we not only use split-view DNS, we furthermore use DNS-RPZ mechanism (sometimes called DNS firewall) to block malvertised domains, active malware and virus sites in real time. If this mechanism is automatically enabled at some point, not only will all sort of things break and cause support issues on a scale that we cannot manage, but also will actively reduce security of our users.

If you seriously consider to switch this setting on by default in the future, please prior to do so always poll some service record in the OS’ configured default DNS and in doing so give us tools to signal to the browser that the feature should not be activated at all and at least a warning message displayed to the user. Document and publish how one creates this record AND coordinate this with all other browser vendors so that enterprises have a chance to prevent a support nightmare.

I understand what this feature is trying to do and I also understand that an user can and must be able to manually override and activate this feature. But give us a chance to preven mayhem here. It simply appears to me that not enough thought went into it so far as split-view DNS is actually quite common and your detection attempt will not be able to catch that. (Hint: if http://www.company.name resolves differently from inside and from outside the company, but yields valid answers either way, you cannot decide properly what the correct course of action is)

Specifically, logged traffic is only kept for 24h, contains no personal information, and any permanent logs (essentially count of domain names) is anonymized.

And if you’re still going to complain despite having read it, I’ll paste the final three paragraphs.

“Cloudflare will not retain or sell or transfer to any third party (except as may be required by law) any personal information, IP addresses or other user identifiers from the DNS queries sent from the Firefox browser to the Cloudflare Resolver for Firefox;

Cloudflare will not combine the data that it collects from such queries, with any other Cloudflare or third party data in any way that can be used to identify individual end users; and

Cloudflare will not sell, license, sublicense, or grant any rights to your data to any other person or entity without Mozilla’s explicit written permission.”

Including this capability to avoid policies, hosts lists, DNS blacklists, etc. in a non-blockable manner means that firefox will need to be banned from my organization’s network, and my home network too.

Another example of how this will hurt organizations: school districts often have DNS settings on their internal servers to resolve http://www.google.com to a “safe search” IP address to force all Google Searches to return safe results. This prevents children from getting obscene images and search results for their Google Searches.

This proposal from FireFox would BREAK things like DNS-enforced Google Safe Searches for schools, libraries, etc.

Imagine running a non-public DNS server with DNS names only locally available. Nothing special. Many companies have it.
So enter this brilliant system. How will it resolve these names? First it goes to cloudflare. Cloudflare with a bit of luck returns “unknown” and then we look it up locally using a regular DNS call.
Result:
1/ Exposure of internal DNS names externally which is security wise NOT allowed as it can give external people a hint about our internal systems
2/ A gigantic performance hit

Mitigation: Will need to block ALL calls to the URLs used by Firefox already in our firewalls/proxies.

Security gain of this implementation: Nil (On the contrary, we added yet another attack vector).